For security reasons it is very important to run services like a webserver or database as a user with very low privileges. This will prevent the exploitation of security flaws of the service. The following points should be matched for this user:

  1. No login shell for this user.

  2. Use only a home directory if necessary.

  3. Disable the user login.

  4. Add to a group with low privileges like nogroup.

Create a non privileged user

useradd -g nogroup -N -M -s /bin/false -c "Apache Tomcat" tomcat
Table 1. Possible Tomcat user
Command/Parameter Description

useradd

not interactive like adduser but available on most Unix distributions.

-g nogroup

add user to group nogroup

-N

do not create a user group with the same name as user, but respect the -g flag.

-M

no home directory

-s /bin/false

set a non login shell

-c "Apache Tomcat"

a comment about the created user.

tomcat

username

Table 2. Further alternatives
Command/Parameter Description

-d /opt/tomcat/temp

set /opt/tomcat/temp as a home directory

User should be unable to login from login shell and su tomcat.

getent passwd tomcat

should result in containing :!:

tomcat:!:17174:0:99999:7:::

Sources